Whe using pam_winbind with BOTH global:require_membership_of AND global:krb5_auth the group-membership check does not work.
Reason (as I believe):
In nsswitch/pam_winbind.c, function winbind_auth_request():
line 412: ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_AUTH, &request, &response, user);
sets the ret-value to PAM_AUTH_ERR correctly when group-membership fails,
but
line 429: ret = pam_putenv(pamh, var);
overwrites the ret-value with PAM_SUCCESS
Solution: As in the following code, use a temporary return variable for the pam_putenv()-call...
Regards,
Thomas Bünnemann